SaaS is becoming more and more popular, especially in the US. In Europe the growth is much slower, but that is no surprise – Europe is usually some 12 to 36 months behind the US in adopting new technologies.

But there is one thing to be considered regarding SaaS – most of the SaaS offerings are more or less unmanageable. The interfaces for identity management, event management and logging and other necessary functionalities are missing. Defined APIs for controlling and integrating the SaaS applications into the existing own IT infrastructure are missing in most cases – or they are so weak that they aren’t useful.

Even more, it is virtually impossible to get the own data back in an useful format. SaaS vendors seem to consider that every information which someone stores in their SaaS application is their data – but it is the data of the SaaS customer. This is some form of aggressive lock-in.

How weak the APIs of SaaS providers are today is visible when you look at approaches like myOneLogin (which is very interesting) – only three of roundabout 60 supported SaaS applications support federation. And virtually none supports an efficient approach for provisioning users from your own directories to the SaaS application. Or have you ever asked your SaaS provider about SPML (Service Provisioning Markup Language) support? The answer probably has been something like “SPML what???”.

The missing support for standards or at least a comprehensive set of APIs for accessing, integrating and managing SaaS is, from my perspective, the biggest risk for SaaS. At some point of time the customers will ask for these features. The vendors which still believe that the world ends at their own perimeter and who claim that every data which someone enters into their SaaS application belongs to them will be shaken out of the market. For good reason.

Information Rights Management (IRM) is one of these technologies which isn’t really successful until now, even while it is discussed and available for a pretty long time. IRM is about protecting the information directly, through signatures, encryption and a direct assignment of rights. These rights describe who is allowed to do what with that piece of information.

There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM. Another reason are the somewhat limited implementations. Most of them are fine for a limited set of applications and environments. Microsoft’s Windows Rights Management Services are great for Windows and Office. They even work in a B2B environment with some trust between the partners. But they are mainly for Microsoft apps. How about CAD and blueprints? How about the other office apps? And all the other types of documents, starting from XML documents, which are sent and stored? There are some other solutions, but most of them are either from pretty small vendors or very limited in scope.

But the most important reason is, in my opinion, that the relevance of Information Rights Management isn’t fully understood. Even when I talk with IAM responsible, IRM seems to be amongst the best hidden secrets. But access control which is limited to data in a silo like a file server or a document management system isn’t sufficient. Data is read and used by users, attached to mails, transferred via FTP – the perfect way to bypass most security concepts [I had a very interesting conversation with Taher Elgamal from Tumbleweed some days ago – Taher has been responsible for “inventing” SSL at Netscape, and it is definitely worth to have a look at Tumbleweed’s approaches to minimize FTP risk] and so on.

But if you look on it the other way round, everything is fine. IRM works as well for data which is stored in silos. With other words: If you use IRM for any type of information there is no necessity anymore for the classical access control approaches. The best way to protect information is to do it directly at the level of the information – and not at the level of one of these many systems which might change, transport or store the information. Given that, it is really time for an industry-wide initiative for IRM standards which work on every platform and with every type of information and every application.

Some time ago, as a result of some of the fundamental reorganizations Siemens had to do within the last two years ago, the department responsible for the DirX solutions has been moved into the healthcare unit of Siemens. That was a somewhat unusual place for an identity management product unit. Now, Siemens is reorganizing again. Besides three core areas (Industry, Healthcare, Energy) there will be several cross-sector activities. One of these is Siemens IT Solutions and Services.

Within the Siemens IT Solutions and Services (SIS) there will be a unit “Identity Management and Biometrics” in which Siemens bundles its DirX and Biometrics activities.SIS will offer complete solutions including Smartcards, PKIs and security consulting around the products of this unit. Besides this the unit will work with VARs and plans to enlarge its set of partners beyond Siemens Enterprise Communications and some few other partners they currently have. There are also plans to extend the IAM portfolio through partnerships.

Even while we have to wait how well the new structure works, how successful SIS is in selling IAM projects up to a complete outsourcing and how the partner landscape around DirX will change – Siemens is now in an obviously much better position again. The new organizational structure is by far more logical than the placement in the healthcare department has ever been. We will observe how the new structure works in reality. But Siemens should be considered as a strong vendor again, even if you might haven’t done this for some time.

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that Salesforce.com has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term “cloud” been chosen because everything out there is a bit “cloudy” in the sense of “fuzzy”?].